- Create an application in okta
- Choose SAML2.0
- Give a random app name
- Single sign on URL: KIBANA_ENDPOINT_URL/api/security/saml/callback
- Audience URI (SP Entity ID): KIBANA_ENDPOINT_URL/
xpack:
security:
authc:
realms:
saml:
cloud-saml:
order: 2
attributes.principal: "nameid:persistent"
attributes.groups: "groups"
idp.metadata.path: "<check with your identity provider>"
idp.entity_id: "<check with your identity provider>"
sp.entity_id: "KIBANA_ENDPOINT_URL/"
sp.acs: "KIBANA_ENDPOINT_URL/api/security/saml/callback"
sp.logout: "KIBANA_ENDPOINT_URL/logout"
xpack.security.authc.providers:
saml.saml1:
order: 0
realm: cloud-saml
description: "Log in with my SAML"
basic.basic1:
order: 1
ent_search.auth.saml1.source: elasticsearch-saml
ent_search.auth.saml1.order: 1
ent_search.auth.saml1.description: "SAML login"
ent_search.auth.saml1.icon: "https:/xxxx.jpg"
By default, users authenticating via SAML have no roles assigned to them. For example, if you want all your users authenticating with SAML to get access to Kibana, issue the following request to Elasticsearch:
POST /_xpack/security/role_mapping/CLOUD_SAML_TO_KIBANA_ADMIN
{
"enabled": true,
"roles": [ "kibana_admin" ],
"rules": {
"field": { "realm.name": "saml-realm-name" }
},
"metadata": { "version": 1 }
}